Malware analysis zapret roblox.rar Malicious activity

Add for printing

File name:	zapret roblox.rar
Full analysis:	https://app.any.run/tasks/1de65636-9624-4ee9-bfbc-a4ed84d8a5c8
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 28, 2026, 09:55:16
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	windivert-sys mal-driver arch-exec arch-doc salatstealer stealer golang upx susp-powershell ms-smartcard
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	C879367B7E9A3E970AED3A889582A6CC
SHA1:	DA2B54B9C1F5C618368E23B1D440BEA4E34239FC
SHA256:	455BE0E1B6A2172DF1E6C1E58F0EE300E1A8B7A114F15D19BF66472B4CC4D41F
SSDEEP:	98304:ib4utV58b/Jj789rv5D6uDefjFvppr9VWIw2YHWdvwe+VHRJBpY4S+RWFOHfa1cK:G4biK4dF2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java(TM) SE Development Kit 25.0.2 (64-bit) (25.0.2.0)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Malicious driver has been detected
  - WinRAR.exe (PID: 7576)
- Detects Cygwin installation
  - WinRAR.exe (PID: 7576)
- SALATSTEALER mutex has been found
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- SALATSTEALER has been detected (SURICATA)
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
  - smss.exe (PID: 4376)
- SALATSTEALER has been detected (YARA)
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- Actions looks like stealing of personal data
  - MoUsoCoreWorker.exe (PID: 7236)
  - smss.exe (PID: 4376)
- Steals credentials from Web Browsers
  - MoUsoCoreWorker.exe (PID: 7236)
  - smss.exe (PID: 4376)
- Starts REAGENTC.EXE to disable the Windows Recovery Environment
  - ReAgentc.exe (PID: 7796)
  - ReAgentc.exe (PID: 1080)
SUSPICIOUS
- Drops a system driver (possible attempt to evade defenses)
  - WinRAR.exe (PID: 7576)
- Application launched itself
  - RobloxFix.exe (PID: 5116)
- Multiple wallet extension IDs have been found
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- Starts itself from another location
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
  - smss.exe (PID: 4376)
- Executable content was dropped or overwritten
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- Possible stealing of messenger data
  - MoUsoCoreWorker.exe (PID: 7236)
  - smss.exe (PID: 4376)
- Possible stealing from crypto wallets
  - MoUsoCoreWorker.exe (PID: 7236)
  - smss.exe (PID: 4376)
- Starts POWERSHELL.EXE for commands execution
  - MoUsoCoreWorker.exe (PID: 7236)
  - smss.exe (PID: 4376)
- Gets path to any of the special folders (POWERSHELL)
  - powershell.exe (PID: 2220)
- The process executes via Task Scheduler
  - smss.exe (PID: 4376)
INFO
- Drops script file
  - WinRAR.exe (PID: 7576)
  - MoUsoCoreWorker.exe (PID: 7236)
  - powershell.exe (PID: 2220)
  - smss.exe (PID: 4376)
  - firefox.exe (PID: 6412)
  - powershell.exe (PID: 6960)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7576)
- The sample compiled with english language support
  - WinRAR.exe (PID: 7576)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 7576)
  - RobloxFix.exe (PID: 5116)
- Reads the machine GUID from the registry
  - RobloxFix.exe (PID: 5116)
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
  - MoUsoCoreWorker.exe (PID: 5604)
  - MoUsoCoreWorker.exe (PID: 6076)
  - smss.exe (PID: 7008)
  - smss.exe (PID: 7132)
- Process checks computer location settings
  - RobloxFix.exe (PID: 5116)
- Reads the computer name
  - RobloxFix.exe (PID: 5116)
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
  - MoUsoCoreWorker.exe (PID: 5604)
  - MoUsoCoreWorker.exe (PID: 6076)
  - smss.exe (PID: 7008)
  - smss.exe (PID: 7132)
- Checks supported languages
  - RobloxFix.exe (PID: 5116)
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
  - MoUsoCoreWorker.exe (PID: 6076)
  - MoUsoCoreWorker.exe (PID: 5604)
  - smss.exe (PID: 4376)
  - smss.exe (PID: 7008)
  - smss.exe (PID: 7132)
- UPX packer has been detected
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- Found Base64 encoded access to Windows Defender via PowerShell (YARA)
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- Application based on Golang
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- Detects GO elliptic curve encryption (YARA)
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- There is functionality for taking screenshot (YARA)
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- Creates files in the program directory
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
  - smss.exe (PID: 4376)
- Found Base64 encoded access to environment variables via PowerShell (YARA)
  - RobloxFix.exe (PID: 7132)
  - MoUsoCoreWorker.exe (PID: 7236)
- Drops encrypted JS script (Microsoft Script Encoder)
  - MoUsoCoreWorker.exe (PID: 7236)
  - smss.exe (PID: 4376)
- Create files in a temporary directory
  - MoUsoCoreWorker.exe (PID: 7236)
- Checks current location (POWERSHELL)
  - powershell.exe (PID: 2220)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 2220)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 2220)
- Application launched itself
  - firefox.exe (PID: 8144)
  - firefox.exe (PID: 6412)
- Manual execution by a user
  - firefox.exe (PID: 8144)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	972443
UncompressedSize:	2954293
OperatingSystem:	Win32
ArchivedFileName:	Новая папка (2)/bin/cygwin1.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

304

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1080

"C:\WINDOWS\system32\ReAgentc.exe" /disable

C:\Windows\SysWOW64\ReAgentc.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Windows Recovery Agent

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\reagentc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

1456

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5124 -prefsLen 39330 -prefMapHandle 5132 -prefMapSize 273045 -jsInitHandle 5244 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5308 -initialChannelId {8ec18040-e9a9-4ae6-9d5d-b556a4b22c76} -parentPid 6412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll

2036

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4148 -prefsLen 45219 -prefMapHandle 4152 -prefMapSize 273045 -jsInitHandle 4156 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4164 -initialChannelId {2c41cb86-7b46-49e1-a874-2d9074236d5d} -parentPid 6412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll

2216

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2220

powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

MoUsoCoreWorker.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3996

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5112 -prefsLen 39330 -prefMapHandle 5116 -prefMapSize 273045 -jsInitHandle 5124 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5132 -initialChannelId {1eac9472-26be-4f2b-b19e-9d2a4fa07971} -parentPid 6412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll

4376

"C:\Program Files (x86)\Windows Photo Viewer\smss.exe"

C:\Program Files (x86)\Windows Photo Viewer\smss.exe

svchost.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\wkscli.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\samcli.dll

5116

"C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\RobloxFix.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\RobloxFix.exe

—

WinRAR.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa7576.18356\новая папка (2)\robloxfix.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll

5192

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4480 -prefsLen 45326 -prefMapHandle 4816 -prefMapSize 273045 -ipcHandle 4612 -initialChannelId {1ef66993-5086-4a35-b679-508503ccc68d} -parentPid 6412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll

5240

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5116 -prefsLen 39698 -prefMapHandle 5500 -prefMapSize 273045 -jsInitHandle 5284 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5680 -initialChannelId {51b68c18-afd1-464a-9f89-cf7b087a0378} -parentPid 6412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll

Add for printing

Total events

20 357

Read events

20 265

Write events

Delete events

Modification events


(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\zapret roblox.rar
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

Add for printing

Executable files

Suspicious files

Text files

Unknown types

285

Dropped files

PID	Process	Filename		Type
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\general (ALT10).bat		text
		MD5:666394850863BC1DCE5FA24A49A9D3EA	SHA256:652207A70A993EBCF02FD2463F5E9593AC593FFB75D84EC4B8871CF8D84033C1
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\bin\tls_clienthello_4pda_to.bin		binary
		MD5:E6D649DE132C3C10CB62531EF74F5B73	SHA256:EEFEAF09DDE8D69B1F176212541F63C68B314A33A335ECED99A8A29F17254DA8
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\bin\winws.exe		executable
		MD5:F94C4B0110FECCD6AECA48C93B278D8B	SHA256:31D68A175ABEBAB19F7F39BF6D0845EC5C18AB653EEEEA6EE830B22D799B7E55
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\bin\WinDivert64.sys		executable
		MD5:89ED5BE7EA83C01D0DE33D3519944AA5	SHA256:8DA085332782708D8767BCACE5327A6EC7283C17CFB85E40B03CD2323A90DDC2
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\general (ALT).bat		text
		MD5:A5DE0FB5BEF76003C74034271B70BCC6	SHA256:BDFA28F0F299672EB074026780FDB19A52ED1732810E674E80F4C1890F8AEDC1
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\bin\WinDivert.dll		executable
		MD5:B2014D33EE645112D5DC16FE9D9FCBFF	SHA256:C1E060EE19444A259B2162F8AF0F3FE8C4428A1C6F694DCE20DE194AC8D7D9A2
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\general (ALT5).bat		text
		MD5:77D16DBC97714C2287BA1BDAC96B2A9A	SHA256:99EEA6F7DE9EA0DE0924823C1DB1FB99A25B78FDACCD862E751706C4D01FBF44
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\general (ALT4).bat		text
		MD5:AEEE5054DB95EF77E520B3455FE47FA9	SHA256:46409E3C9239057702E03EB6896277B8904CA529D842D72A938A34B0C2B18CBC
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\general (ALT3).bat		text
		MD5:406F92C91857C9201C2A7E2B5E5580D9	SHA256:0DEC95AEB21EE9803089667C1167B3F6E535DD58CA7A3629BD348F97663B210C
7576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa7576.18356\Новая папка (2)\general (ALT6).bat		text
		MD5:40A8A46561C45B0D0D7465D69D0712AD	SHA256:1D61E089D24979779EBB14756FF1FFD1936782E6A45EDFF9B6E4FA6051C34C7F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

304

TCP/UDP connections

148

DNS requests

132

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	unknown	—	—	whitelisted
5276	MoUsoCoreWorker.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	unknown	—	—	whitelisted
7720	svchost.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	unknown	—	—	whitelisted
7176	SIHClient.exe	GET	304	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
7176	SIHClient.exe	GET	200	135.232.92.97:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	whitelisted
7176	SIHClient.exe	GET	200	74.178.240.61:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	whitelisted
7176	SIHClient.exe	GET	304	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
7248	svchost.exe	POST	200	20.190.159.68:443	https://login.live.com/RST2.srf	unknown	—	11.1 Kb	whitelisted
5568	svchost.exe	POST	200	135.236.136.109:443	https://licensing.mp.microsoft.com/v7.0/licenses/content	unknown	—	8.05 Kb	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/FlightSettings/FSService?ProcessorClockSpeed=3094&IsRetailOS=1&OEMManufacturerName=DELL&FlightingPolicyValue=3&EnablePreviewBuilds=4294967295&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&ManagePreviewBuilds=3&BranchReadinessLevelSource=0&AttrDataVer=186&ProcessorCores=6&BranchReadinessLevelRaw=16&TotalPhysicalRAM=6144&TPMVersion=0&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&DeviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&App=FSS&AppVer=10.0&SmartActiveHoursState=1&ActiveHoursStart=20&SecureBootCapable=0&ActiveHoursEnd=13&DeviceFamily=Windows.Desktop	unknown	binary	87.3 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
7720	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7248	svchost.exe	20.190.159.129:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7248	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7248	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	2.16.164.72:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
login.live.com	20.190.159.129 20.190.159.68 20.190.159.64 20.190.159.130 20.190.159.131 20.190.159.23 20.190.159.0 40.126.31.131 40.126.31.69 20.190.159.4 40.126.31.1 40.126.31.73 40.126.31.130 40.126.31.71	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
google.com	142.251.143.110	whitelisted
self.events.data.microsoft.com	13.89.179.10 20.50.201.205	whitelisted
ocsp.digicert.com	184.30.131.245 162.159.142.9 172.66.2.5	whitelisted
crl.microsoft.com	2.16.164.72 2.16.164.120	whitelisted
www.microsoft.com	23.59.18.102	whitelisted
licensing.mp.microsoft.com	135.236.136.109	whitelisted
dns.google	8.8.4.4 8.8.8.8	whitelisted

Threats

PID	Process	Class	Message
5276	MoUsoCoreWorker.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
7132	RobloxFix.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7132	RobloxFix.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
7132	RobloxFix.exe	Misc activity	ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
7132	RobloxFix.exe	Misc activity	ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
7236	MoUsoCoreWorker.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7236	MoUsoCoreWorker.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
2232	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)

Add for printing

No debug info

General Info

zapret roblox.rar

C879367B7E9A3E970AED3A889582A6CC

DA2B54B9C1F5C618368E23B1D440BEA4E34239FC

455BE0E1B6A2172DF1E6C1E58F0EE300E1A8B7A114F15D19BF66472B4CC4D41F

98304:ib4utV58b/Jj789rv5D6uDefjFvppr9VWIw2YHWdvwe+VHRJBpY4S+RWFOHfa1cK:G4biK4dF2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Malicious driver has been detected

Detects Cygwin installation

SALATSTEALER mutex has been found

SALATSTEALER has been detected (SURICATA)

SALATSTEALER has been detected (YARA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Starts REAGENTC.EXE to disable the Windows Recovery Environment

SUSPICIOUS

Drops a system driver (possible attempt to evade defenses)

Application launched itself

Multiple wallet extension IDs have been found

Starts itself from another location

Executable content was dropped or overwritten

Possible stealing of messenger data

Possible stealing from crypto wallets

Starts POWERSHELL.EXE for commands execution

Gets path to any of the special folders (POWERSHELL)

The process executes via Task Scheduler

INFO

Drops script file

Executable content was dropped or overwritten

The sample compiled with english language support

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Process checks computer location settings

Reads the computer name

Checks supported languages

UPX packer has been detected

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Application based on Golang

Detects GO elliptic curve encryption (YARA)

There is functionality for taking screenshot (YARA)

Creates files in the program directory

Found Base64 encoded access to environment variables via PowerShell (YARA)

Drops encrypted JS script (Microsoft Script Encoder)

Create files in a temporary directory

Checks current location (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Application launched itself

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules